Imagine if every single American citizen had his or her personally identifiable information, such as full names and addresses, leaked onto the Internet. This cybersecurity and privacy nightmare might seem implausible, but that’s exactly what happened in Israel, where 9 million records, those of every living citizen and some deceased, were leaked online and eventually sold on the black market.
According to recent breakthroughs in the investigation, a contracted employee copied the entire Israeli Population Registry database onto his home computer in 2006. When that employee was later fired for unrelated criminal charges, he sold the information to a business client who continued passing the data around online along with a program to querry and search the enormous database – not the sort of Big Data solution that we encourage. The information is suspected to have fallen into criminal hands and, aside from identity theft and petty crime, is a national security threat as it simplifies fraud and false documentation and a threat to the democratic process as it can also be used for voting fraud. The investigation is a great example of Internet sleuthing. Authorities didn’t stop at hard disks and CDs, following leads through cloud services and coupling their forensics with old-fashioned human detective work along with international law enforcement cooperation.
While the investigation displayed great cybersecurity professionalism, leaking the database was the result of glaring lapses in security. Clearly, this contractor should not have been trusted with such high-profile information in the first place, judging from his multiple criminal charges. Though not classified, given all that can be done with personally identifiable information today, it must be treated as highly sensitive and valuable. And, even for reputable employees, such unrestricted access to a massive amount of data is just asking for trouble. It’s easy to say such amateur mistakes could not happen in the United States, but in the WikiLeaks fiasco Bradley Manning, who was found to be distressed and highly dissatisfied with the military, had broad access to classified information which he similarly downloaded. As the recent spate of leaks illustrates, personal records are seldom adequately protected. Recently, an unencrypted laptop was stolen from Sutter Health, exposing 4 million personal records, and the theft of TRICARE backup tapes released 4.9 million health records. Though some of TRICARE’s data had been encrypted before being backed up, it was not to federal standards.
Incidents like this are pushing the federal government to protect data rather than machines or accounts. Even as an administrator, the contractor in Israel should not have been able to download the Population Registry on to his home computer. When dealing with sensitive data, the principle of least privilege should be used to protect against malicious insiders. Rather than give a certain class of users free range on the system, each account should have only the minimum privileges it needs to do its job. Lastly, analytics are available that can make sense of log and behavior data to spot anomalies in user behavior that would suggest an insider threat or a hijacked account. While most enterprises have such capabilities, the log information they generate can be overwhelming. Big Data tools like Splunk can be critical for making the most of your log data to analyze all of your information quickly.
Related articles
- Special Summary: Enterprise security stories (ctovision.com)
- Beer, Bikinis, and Insider Hacks (ctovision.com)
- Splunk: Bringing Big Data Analysis to the Rest of Us (ctovision.com)
Wow.
This article is exactly why the work that the folks at The National Archives and Records Administration’s Controlled Unclassified Information Office (CUI) is so vitally important. http://www.archives.gov/cui
Good post. Care should be given in determining what information should be protected and what information should be widely shared. A principle of open government is to “open data” up to others that can reuse in ways the government may not have considered.
Yet, your point is well made. Data that should be private needs to be protected.
Interesting post. Great thought here: “Protect data rather than machines or accounts”. Thanks for sharing!